AI GOVERNANCE —
MATURITY SCORER.

Published by the Department of Industry, Science and Resources in 2024. The standard establishes 10 guardrails for the safe and responsible use of AI in Australian organisations. It is voluntary today but is a leading indicator of pending mandatory regulation for high-risk AI use cases. The guardrails cover accountability, risk management, data quality, testing, human oversight, transparency, contestability, accountability process, supply chain transparency, and stakeholder engagement.

Not today. It is voluntary. However, several factors point toward mandatory AI regulation for high-risk use cases over the next 24 months. The EU AI Act has set a global benchmark. The OECD AI Principles inform the standard. The Privacy Act 2024 reforms include AI-influenced decision-making in scope. Mid-market organisations adopting the Voluntary Standard early are positioning ahead of the regulatory curve.

1) Establish accountability process; 2) Risk management process; 3) Data quality and governance; 4) Testing and monitoring; 5) Human oversight; 6) Transparency about AI use; 7) Contestability; 8) Records and engagement with stakeholders; 9) Third-party AI supply chain; 10) Accountability process for AI safety risks. The 10 are interconnected — most organisations find they need to address them in a connected programme, not standalone.

Microsoft 365 Copilot is an AI system under the Voluntary Standard's definition. The governance work matters even for Copilot specifically: the AI policy needs to cover Copilot use cases, the human-in-the-loop expectation applies to Copilot-influenced decisions, the data quality controls (sensitivity labels) determine what Copilot can access. Most AU mid-market AI governance work in 2026 is anchored on Copilot governance because it's the most-deployed AI system.

Custom agents (built in Copilot Studio or otherwise) are higher-risk than off-the-shelf Copilot because the organisation is the AI system owner, not the consumer. The governance bar is higher: documented purpose, data sources, decision impact assessment, testing before deployment, ongoing monitoring, and contestability process. Treat custom agents as a separate row in the AI use case inventory with high or medium risk classification by default.

AI-influenced decisions about individuals engage the Privacy Act 1988. APP 1 (open and transparent management), APP 5 (notification of collection), APP 11 (security), and APP 12 (access and correction) all read on AI decision-making about customers, employees and candidates. The OAIC has signalled that 'reasonable steps' under APP 11 will increasingly require AI-specific governance for high-risk AI use cases. The Voluntary AI Safety Standard provides a reasonable-steps baseline.

A direct review of AI use cases, AI policy, governance committee structure, risk classification, vendor assessment programme and contestability process. Output: gap report against the 10 guardrails of the AU Voluntary AI Safety Standard, prioritised remediation plan with named owners, draft AI policy and inventory templates. Indicative pricing on request.

Every scoring threshold cites a primary source: the AU Voluntary AI Safety Standard guardrails, the OECD AI Principles, ISO/IEC 42001 AI management systems standard, and the Microsoft Responsible AI Standard for the practical M365 mapping. Methodology authored by Daniel Brown (5x Microsoft MVP), Graeme Lodge (Managing Director), and Sam Williams (Investor & Executive Consultant).